/* ---- Google Analytics Code Below */

Friday, October 21, 2022

How Should Companies Prepare for Cybersecurity Regulations?

Very good, useful piece,  there are many links,  use the link just below to get a version that includes all links in the original  ...

A collection of observations, news and resources on the changing nature of innovation, technology, leadership, and other subjects.   By Irving Wladawsky-Berger

How Should Companies Prepare for the Coming Cybersecurity Regulations

“Cybersecurity has reached a tipping point,” wrote MIT professor Stuart Madnick in a recent Harvard Business Review article, New Cybersecurity Regulations Are Coming. Here’s How to Prepare. “After decades of private-sector organizations more or less being left to deal with cyber incidents on their own, the scale and impact of cyberattacks means that the fallout from these incidents can ripple across societies and borders.”

Given the growing threat of cyberattacks, there’s an urgent need to improve the security of IT systems. However, we still don’t know a lot about cyberattacks, including how many attacks have taken place and who’s been attacked. Until recently, cybersecurity regulation were mostly focused on data privacy, and the only attacks that had to be reported were those involving personal information, such as the theft of names and credit card numbers.

For example, when Colonial Pipeline suffered a serious ransomware attack in May of 2021 that shut down nearly 50% of fuel deliveries to the US East Coast, neither the company nor the pipeline operators were required to report the attack because personal information wasn’t stolen. “As a result, it’s almost impossible to know how many cyberattacks there really are, and what form they take,” said Madnick. “Some have suggested that only 25% of cybersecurity incidents are reported, others say only about 18%, others say that 10% or less are reported.” We need detailed information on who is being attacked, how are they getting attacked, what are the attackers after, and what have they’ve actually stolen.

Governments around the world are now proposing or enacting new laws and regulations. The General Data Protection Regulation (GDPR) requires that the EU’s 27 member states must report serious data breaches withing 72 hours. In the US, new regulations and enforcements are likely to come from the White House, Congress, the Cybersecurity & Infrastructure Security Agency (CISA), the Securities and Exchange Commission, the Federal Trade Commission, and a number of other agencies. Thirty six states have already enacted new cybersecurity legislation.

These new rules would require companies to report cyber incidents, like the Colonial Pipeline attack, especially when critical infrastructure industries are involved, such as energy, health care, communications and financial services. ....'   (click through above for all links) 

No comments: